Hi Nik It depends on the version of course but if you grant select any table to developers on an 8.1.7 database the default setting of 07_dictionary_accessibility will be true and granting this privilege will allow them to see sys.user$ which holds password hashes that could then be cracked off line, also the same with sys.user_history$, dba_users (although other roles grant select on this), sys.link$ can have clears text passwords for other databases. From 9i o7_dictionary_accessibility is false so dictionary access is not possible unless select any dictionary is granted or direct grants are given or connect "as sysdba". From the perspective of non dictionary access it depends on how sensitive your data is as to whether your developers should be able to read it all. In general no privileges with the word "ANY" in them should be granted. See a couple of good security checklists on my site at http://www.petefinnigan.com/orasec.htm for some guidelines on securing Oracle. kind regards Pete -- Pete Finnigan email:pete@xxxxxxxxxxxxxxxx Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------